Password policies still too lax in most large companies

According to a new Symantec study, on average, more than 66 percent of large North American organizations
still have not implemented two-factor password authentication policies for the partners and contractors that
access their corporate networks.

The report, which polled 306 large enterprises was conducted by Forrester Research on behalf of Symantec.
The respondents included companies from both Canada and the United States, with all of the companies employing
at least a thousand people or more, and 30 percent of the organizations comprising more than 5,000 people.

In addition to the lack of strong password authentication for business partners, distributors and contract
workers, Symantec found that about 87.2 per cent of companies expected their users to remember two or more
passwords to access corporate resources.

"More than 64.7 percent of companies had at least six different password policies in place," said Atri
Chatterjee, vice-president of user authentication at Symantec. He added that up to half of all IT help desk
calls deal with password reset issues.

With more enterprise employees using their own devices to log into the corporate network, Symantec said
the importance of access security has reached par with other areas such as firewall and network security. Most
companies are dealing with this critical issue, Chatterjee said, by creating large and cumbersome password
policies, which isn't always the best solution, he added.

Symantec said the move to two-factor authentication technologies, which forces employees to use a password
in conjunction with a software or hardware token, is the most effective way to provide strong access control.

But while two-factor authentication is being used at the majority of large enterprises throughout North
America, Chatterjee added that the technology is only used on a very limited basis.

“They roll it out to the finance department or senior management only,” he said, adding that large gaps
in two-factor authentication deployment means organizations are only as strong as their “weakest link.”

“Overall, the reaction has been to make password policies a lot more complex, but it has resulted in more
difficulties for users, and that is when many of them start cutting corners, which is often the begining of many
security issues” he added.

To help businesses, Symantec says it now offers two-factor authentication as a service that can run in the
cloud. It also said it can roll out software tokens to all major smartphone brands as well.

Symantec’s new report comes just a few weeks after EMC Corp. released its RSA SecureID Software Token for
Android, which allows users to authenticate themselves on business apps using their Android-based smartphones.

For example, when enterprise users are ready to log in to the corporate ERP system from their laptop, they
can generate a one-time software token with their Android app that will enable them access. The passwords only
last for 60 seconds and are rolled out via RSA’s traditional Authentic Manager software.

Rachael Stockton, manager of product marketing at RSA, said this functionality was highly demanded by existing
RSA customers as the growth of Android in the enterprise world continues at a rapid pace. She added that the
ubiquity of the smartphone in general makes it a perfect fit to host a software authentication token.

“For the most part, people usually don’t forget their smartphones, so it lowers the support calls,” Stockton
added.